Researchers at VeriSign’s
iDefense division tracking the digital underworld say bogus and stolen
accounts on the Facebook are now on sale in high volume on the black market.
Mark Zuckerberg, a founder of Facebook, the social
networking site that says it has sophisticated ways to defeat fake
accounts.
During several weeks in February, iDefense tracked an effort to sell
log-in data for 1.5 million Facebook accounts on several online criminal
marketplaces, including one called Carder.su.
That hacker, who used the screen name “kirllos” and appears to deal
only in Facebook accounts, offered to sell bundles of 1,000 accounts
with 10 or fewer friends for $25 and with more than 10 friends for $45,
says Rick Howard, iDefense’s director of cyber intelligence.
The case points to a significant expansion in the illicit market for
social networking accounts, he says.
“We’re seeing this activity spread over to the U.S.,” he said.
Criminals steal log-in data for Facebook accounts, typically with
“phishing” techniques that tricks users into disclosing their
passwords or with malware that logs keystrokes. They then use the
accounts to send spam, distribute malicious programs and run identity
and other fraud.
Facebook accounts are attractive because of the higher level of trust on
the site than exists in the broader Internet. People are required to
use their real names and tend to connect primarily with people they
know.
As a result, they are more likely to believe a fraudulent message or
click on a dubious link on a friend’s wall or an e-mail message.
Moreover, the accounts allow criminals to mine profiles of victims and
their friends for personal information like birth dates, addresses,
phone numbers, mothers’ maiden names, pets’ names and other tidbits that
can be used in identity
theft.
Last summer, Eileen Sheldon’s Facebook account was hacked and used to
send messages to about 20 friends claiming she was stranded in Britain
without a passport and needed money. Ms. Sheldon, who lives in
California, had recently been living in London, and one friend,
believing the ruse, wired about $100 to the thieves.
Other friends smelled a fraud and warned Ms. Sheldon, who quickly
reported the problem to Facebook. She does not know how her password
was stolen.
While the accounts that were compromised and offered for sale could be
legitimate ones like Ms. Sheldon’s, they most likely also included bogus
accounts, Mr. Howard said. IDefense did not see the accounts
themselves, but the inclusion of many accounts with small numbers of
friends suggests the seller created fake accounts, perhaps using an
automated tool, and sent out blind friend request.
Many users are eager to amass friends and accept friend requests from
people they do not know, even though Facebook discourages it.
Facebook says it has sophisticated systems to defeat fake accounts,
including tools for flagging them when they are created so they can be
investigated. This allows Facebook to “disable them before the bad guys
get very far,” a spokesman, Simon Axten, said.
Facebook also monitors for unusual activity that is associated with fake
accounts, like many friend requests in a short period of time and high
rates of friend requests that are ignored. It also investigates reports
of suspicious users .
The relatively low asking prices for the Facebook accounts points to the
fact that Facebook accounts do not translate into instant profit. “The
people that buy these things are going to have to do more work to make
money,” Mr. Axten said.